Computer Security Weblog

With the news of over 500,000 web pages this past week.  If you are a reader of my blog, you’ve heard me suggest that you use an alternative browser like FireFox.  Not that FireFox is ’safe’, because all software written has vulnerabilities.  That is a fact.  But you can combat these types of attacks by using FireFox and then install the add on call NoScript.  After installing this, you will control what scripting gets executed.  These attacks are always pointing at bad places such as servers hosted in our friendly nation of China.  If you were to go to a site that was hacked, you would have seen this script and those funny host names mentioned in my previous post.

Make the switch if you haven’t already.  FireFox has great features and using some of these add ons will actually protect you from these JavaScript injection attacks.  Take care and have a safe week!

Well this past week, another large scale hacking of legitimate sites including some belonging to the UN, the UK government, .edu sites, and many travel sites to name just a few.  The hack includes a re-direct that pointed visitors to the exploited sites to some servers in China and ran 8 exploits including MS07-004 for IE.  This has now become a more common exploit that attacks trusted sites then it can direct it to the criminal attackers bad websites.  The two sites it pointed to were IP’s that belonged to China.  Surprise!

Just do a Google search with these sites and you will see how wide spread the problem is.  Search on these but don’t go to any of these sites.   nihaorr1.com, and haoliuliang.net.

The lessons learned here are these.  No longer can we say there is something called trusted sites.  I use the Firefox browser and use an add-on called “NoScript”.  Check it out.  It allows you to control what JavaScript runs and what doesn’t.  And of course patching is VERY important.  Patch your Microsoft software, your Firefox browser, QuickTime, iTunes, RealPlayer, WinZip, Adobe Reader, Adobe Flash, and any other software that you use.  Here are the facts.  Due to crappy programming, the Computer Security field is going strong.  This is the core problem.  Not any easy answers here to solve but you can doe the things mentioned above.

Stay safe out there and I’ll be posting another story later this weekend.  I’ve been busy and haven’t had too much time.  We have been tracking this particular story where I work and I wanted to pass this along to you also.  Rock Chalk Jayhawk GO KU!!!  And remember, North Carolina Tarheel fans don’t have to listen to any of my advice.

A common question I ask when giving presentations on computer security, I ask how many people have changed their password for the personal e-mail accounts in the past year.  In the corporate world, you can control how often a user has to change their corporate password at work.  Most answers I get back from the question about their personal password on their e-mail accounts is that they never have or maybe one time they did a couple of years ago.

Now lets think about an attacker who compromises your home PC.  He has a keylogger (a program that records a users keystrokes and sends them back to an attackers evil server) and they have recorded you typing your personal e-mail account.  OK, now lets think.  If you happen to bank at a large national bank, you have a PayPal account, you have an eBay account and many other common online accounts that a criminal attacker might be able to take over for his nefarious activities.  Do you have user name and passwords that are common to your personal e-mail account?  Am I making you think about changing your password and using different user names and passwords for other accounts?  Hopefully so.

Lesson learned here is to change your password and don’t share user names and passwords with other financial accounts that you might have.  Think about using a strong password by using upper, lower, numbers and special characters to create a strong password.  Use a password that is actually longer than 8 positions long.  Use something like a pass phrase that will be easier for you to remember.

Hope everyone’s weekend is going great and stay safe out there.

The National Cyber Security Alliance (NCSA) announced study findings that 71 percent of consumers lack the knowledge on cyber criminals’ weapon of choice and the Internet’s fastest growing threat — botnets. This is sadly telling a story that I and many other computer security professionals already know. Botnets have comprised mostly of consumers’ computers and are increasingly being used to perpetrate identity theft and spread viruses.
“Last June, the FBI identified more than one million computers infected with malware which could have been hijacked and used as part of an army of bots to attack other computers, spread malware, or attack our nation’s infrastructure,” said Ron Teixeira, executive director of the NCSA. These results were announced at the RSA conference last week. “Botnets continue to be an increasing threat to consumers and homeland security. Consumers’ unsecured computers play a major role in helping cyber criminals conduct cyber crimes not only on the victim’s computer, but also against others connected to the Internet.”
The study also shows that Americans are largely unaware their computer’s security plays a role in our nation’s security and preventing online crime. The scary think is a majority of respondents think it is not likely their computer could affect homeland security while only 51 percent think it is possible for a hacker to use their computer to launch cyber attacks.
“It is alarming that consumers do not know how to secure their computers,” said Teixeira. “It is important for consumers to understand that safe cyber security practices not only protect them from identity theft, but also prevent cyber crime and attacks. By taking simple steps, consumers can protect themselves from cyber crimes and join our effort to protect other Internet users.”

Additional findings from the study* include: — 71 percent have never heard the phrase “botnet” — the weapon of choice for cyber criminals — 59 percent think it is not likely their computer could affect homeland security — 47 percent believe it is not possible for a hacker to use your computer to launch cyber attacks or crimes against other people, businesses and our nation — 51 percent have not changed their password in the past year — 48 percent do not know how to protect themselves from cyber criminals — 46 percent of consumers are not sure of what to do if they became a victim of a cyber crime.

I say this to you… your biggest weapon against the criminal attackers is knowledge. Educate yourself on the steps you can take to secure your PC at home.

Congrats to my Kansas University Jayhawks for winning the NCAA National Championship. Gotta love those Hawks! As we like to say around this part of the country, Rock Chalk Jayhawk. GO KU!!! Have a safe week.

One thing that criminal computer attackers like to use in their phishing e-mails is some current event.  All around the world, there is a lot of support for Tibet against the Chinese government.  With news coming out being restricted by the Chinese, people are hungry for information.  What a perfect setup for a social engineering tactic to get people to click on either attachments or links in phishing e-mails.

Never trust unsolicited e-mail period.  Never, never, never trust it.  No matter what the topic in e-mails, never click.  Computer attackers have to have your help before YOU can be taken advantage of.  Clicking things many times installs the attackers downloaders that then downloads and installs the really nasty code.  Gone are the days where e-mails that have misspelled words, broken English that really gave us a clue that something isn’t right.  Attackers have linguists, psychologist, and some really smart people who can code the malware (criminal malicious software) and you are the target.

Remember that they need you to click on either an attachment or link to a malicious site to take advantage of you.  You are your own best defense.  Know the tactics being used.  Be prepared and don’t click.  NEVER.

It was a short night for me because I was watching my Kansas University Jayhawks win the National Championship game last night.  Gotta love those Hawks and I’m so happy for Coach Self and every single kid on that team but especially the 5 seniors on the team.  Rock Chalk Jayhawk.  GO KU!!!  What a season and what a dramatic finish.  Now the story is, what will Coach Self do when he gets offered TONS of money to move to coach Oklahoma State University.  Personally I think he will stay and be there for a long time.

Stay safe out there.  Rock Chalk!!  We’ll talk again in a few days.

Well any readers know that I’m a big Kansas University fan and we played the Tarheels from Carolina tonight. Kansas dominated out of the box but then went flat before finishing the Tarheels from UNC. Well I must admit that I was worried when Carolina made its big run.

Anyone familiar with Kansas University basketball knows that Roy Williams left Kansas as the coach and went back home to UNC to coach. Many in this part of the country are mad at Roy. Well I’ve been asked am I mad at Roy for leaving after 15 years at KU. I say this every time. During the KU run in the 2003 Final Four, I always felt that Dean Smith was actively going after Roy right in the middle of when he should have been concentrating on KU. Everyone who saw as KU had won a game, I think against Duke, a reporter was asking Roy about the UNC coaching vacancy. His comment was not censored when he said “I don’t give a sh@t about North Carolina” on CBS. Wasn’t true but at the time, around here we all felt the same way. Long story short. He left. So I was really ready to play them when they both went on to the Final Four this year.

Really I was concerned because Roy is a great coach and his teams were always good. Kansas is a very good team this year also. Anyway, Roy, I’m good with you. I’m not among the haters here. And for us fans, I felt pretty good as well as all others in Jayhawk country after the game was over. Rock Chalk Roy. Join us in cheering on the Kansas University Jayhawks Monday night.

Next post will actually be about computer security. I promise. Bring it home Hawks!!!

I am signed up for regular online newsletters through SANS.org which is a computer security site that I reference daily.  In this current issue I found this story to be applicable to many people out there today.

Here is the story:

John Y. at a US community college writes us:
A computer used by one of our staff was compromised in December, and began sending email advertisements for Viagra and Cialis to large numbers of addresses. We caught it fairly quickly because we have monitors that look for that kind of behavior on our network.  An analysis of the computer showed that it had been infected when the user visited a small Mom-and-Pop type arts & crafts store on the web. The
Mom-and-Pop website had been “re-programmed” by someone in Ukraine to send a blast of software attacks at anyone unlucky enough to visit it.  One of these attacks was directed against a vulnerability in a version  of Apple QuickTime released just two weeks before the attack. Symantec Anti-Virus stopped all of the attacks except the QuickTime attack.  Sadly, it only takes one successful attack to compromise any computer.

Lessons We Learned
- - - Small Mom-and-Pop websites can pose a greater risk than the sites of big vendors like Amazon.com. Owners of small businesses often don’t have the expertise or resources to protect their sites from being
compromised and used by Bad Guys. Once a website has been compromised, it can then be used to attack your computer.

- — Anti-virus is still a necessary defense, but it can’t do the whole job.  In the past, computer criminals wrote viruses that broadcast themselves all over the Internet, making it easier for anti-virus companies to identify them and develop a countermeasure quickly.  Now, attacks are much more targeted and the criminals have gotten better at making attack software that is harder to detect. Anti-virus makers are
finding it difficult to keep up with the criminals.

- — Bad Guys are targeting many applications that run on your computer, as well as the operating system. The campus computer that was compromised was completely up-to-date with its Windows security patches.
But in order to keep your computer secure (besides patching Windows, Internet Explorer, and Office, all done automatically through update.microsoft.com, you have to patch commonly installed applications like QuickTime, RealPlayer, Adobe Reader, Adobe Flash Player, and Sun Java, all of which can be attacked through your email or web browser.

—————-

Now we’ve talked about these other applications and the importance of patching.  Many of these vendors are automating their process to update their applications.  It’s not there yet so you need to make sure on your own that these applications are patched.  Most times, you can open them up and go to the HELP option and there you will find an option to Check for Updates.  Do this to protect yourself.

Tonight is the BIG GAME!!! Remember all Tarheel fans can disregard any advice I give.  Tyler Hansborough (Don’t know if that is the correct spelling.  Really don’t care.) is on the cover of SI so hopefully that will be the famous SI Jinx.  ROCK CHALK JAYHAWK!!! GO KU!!!!  Love my Jayhawks and both these games today will be awesome to watch.  Stay safe, patch and may my Jayhawks from the University of Kansas bring home the National Championship.